Question #1137
Which AWS service provides FIPS 140-2 Level 3 validated Hardware Security Modules (HSMs) for managing cryptographic keys?
AWS Key Management Service (KMS)
AWS Secrets Manager
AWS CloudHSM
AWS Certificate Manager (ACM)
Explanation
The correct answer is C. AWS CloudHSM. AWS CloudHSM provides Hardware Security Modules (HSMs) that are FIPS 140-2 Level 3 validated, ensuring stringent physical and logical security controls for cryptographic key management. CloudHSM allows customers to manage their own encryption keys on dedicated, single-tenant HSMs, which are isolated from other AWS customers.
Why other options are incorrect:
- A. AWS KMS: While KMS uses FIPS 140-2 Level 2 validated HSMs, it does not provide Level 3 validation. KMS is a shared service and does not offer dedicated HSMs.
- B. AWS Secrets Manager: This service focuses on managing secrets (e.g., database credentials) and relies on KMS for encryption, not HSMs.
- D. AWS ACM: This service handles SSL/TLS certificate provisioning and does not involve HSMs.
Key Points:
- FIPS 140-2 Level 3 requires physical tamper resistance and identity-based authentication, which CloudHSM meets.
- CloudHSM is ideal for compliance requirements mandating dedicated, customer-managed HSMs.
Answer
The correct answer is: C